3 Assessing vs AuditingAssessment—Evaluation: judgement about something based on an understanding of the situation.Audit—Verification: judgement of extent of compliance with formal policies.Goals today:Facilitate both assessments and auditsProvide wider context than simply compliance with formal written policies.Increase awareness of issues so that auditors can engage in more productive discussion with IT and security colleagues

9 Problem: Missing ElementsWhich principle of the C-I-A triad has been breached whenA child takes bank card with password in envelope but does not open it?Someone sends threat to President using your address but not your logon?Someone converts all the salary figures in your database to Iraqi Dinars?ANSWER: NONE OF THEM – THE TRIAD IS INSUFFICIENT TO DESCRIBE SECURITY BREACHES

28 CAN-SPAM Act (2003) Dictates requirements for opt-out facilitiesRequires identification of sourceCompletely useless in stopping criminal spammersFines for violation of restrictionsCan lead to problems for legitimate businesses whose employees are ignorant of law and Internet cultureMarketing manager contracts with spammerEmployee sends spam on own initiative

46 Works Made for HireFull-time employees generally forfeit claim to work created expressly for purpose of their jobCopyright belongs to the employerEmployers' rights do not apply to creative work outside employmentNot created with employer facilities, toolsNot interfering with regular workCreated outside normal working hoursProblems can occur when creative outside work is directly related to job function

75 Trademarks Purpose Definition and Types Classes of MarksApplication and Exceptions to GrantNature of ProtectionRelief for Violation

76 Purpose of Trademarks Represent origin of goods or servicesFor the producerUse symbol or other designationRepresent who makes goods or provides serviceReap financial rewards resulting from past qualityFor the consumerAllow quick recognition of goods or services as being from same manufacturer or providerPrevent confusion and counterfeits

77 Definition and Types of MarksTrademarkWord, name, symbol, device or combinationUsed to distinguish goods from other similar goodsService markIdentifying and distinguishing servicesCollective markTM or SMCoöp, association, union, guildCertification markAssertion of compliance with standards or origin by certifying organization

82 Nature of Protection for TrademarksPrevent confusion by usersFactors considered by the courtsSimilarity of marksSimilarity of goodsRelationship between parties offering goodsClasses of purchasersEvidence of confusionDefendant's intentStrength of plaintiff's mark

84 Relief for Violation of TrademarksInjunction prohibiting continued violationSeizure of goods and counterfeit marksRecovery of plaintiff's profitsDestruction of infringing goods and advertisingRecovery of actual damages incurred (loss of profits, goodwill)Recovery of legal costs including attorney's fees in some cases

86 The Domain Name SystemConverts words (e.g., into IP addresses (e.g., )Early years – DARPA contract with USC1992: NSFNET opened to .com usersNetwork Solutions Inc. became registrar for .com, .net, .org1998: ICANN (Internet Corporation for Assigned Names and Numbers)Established by US governmentHighly controversial – much political turmoil over actions, governance

87 Hyperlinks and TrademarksCannot legally useOthers' trademarks or logos on a Web site without permissionFraming to bring another's content directly into a page that appears to be created by another siteOthers' trademarks in invisible metatags visible to search engines

88 Federal Trademark Dilution Act of 1995Prior to 1995, courts had to rule against plaintiff if no confusion could be shownThus radically different businesses could use existing trademarks without infringing the Lanham ActBut large companies with famous trademarks argued that frequent use diluted value of their marksCongress passed TDA of 1995 to protect such plaintiffs even when no confusion likely

89 Cybersquatting Cases Have Used Trademark Dilution ActMany examples of parasites who register famous trademarks or people's names as DNS entriesHope to capitalize by extorting money to sell registration to legitimate usersMany firms have appealed under ICANN rules or gone to court for trademark dilutionIntermatic Inc. vs Toeppen an excellent example of case illuminating the issuesDefendant registered 240 domain names using famous company names and trademarksIntermatic argued that Toeppen should not be able to block its use of its TM in domain nameJudge ruled in favor of plaintiff because of dilution

90 Anticybersquatting Consumer Protection Act of 1999Increasing complaints about cybersquattingBad faith use of TM, company name or person's name defined clearly for domain namesMultiple criteriaMost significant: offer to sell or transfer domain nameFor financial gainWithout prior use for real businessRegistration of multiple similar infringing domain namesStatutory damages of $1,000-$100,000 per domain name

91 International Protection of TrademarksParis Convention for the Protection of Industrial Property (1883)National treatment – same rules for allRights of priority for filing of registrationSimilar rights of refusal of registrationSeizure of contraband / counterfeitsAgreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS, 1994)Includes TM protection7-year terms of protection with unlimited renewals